Use the catauditlog command to display the in-memory contents of the audit log.
Syntax
>>- svcinfo -- -- catauditlog -- -------------------------------> >--+-----------------------------------------+-- -------------->< '- -first -- number_of_entries_to_return -'
Parameters
- -first number_of_entries_to_return
- (Optional) Specifies the number of most recent entries to display.
Description
This command lists a specified number of the most recently audited commands.
The in-memory portion of the audit log can hold approximately 1 MB of audit information. Depending on the command text size and the number of parameters, 1 MB records approximately 6000 commands.
Once the in-memory audit log has reached its maximum capacity, the log is written to a local file on the configuration node in the /dumps/audit directory. The svcinfo catauditlog command only displays the in-memory part of the audit log; the on-disk part of the audit log is in readable text format and does not need any special command to decode it.
The in-memory log entries are reset and cleared automatically, ready to start accumulating new commands. The on-disk portion of the audit log can then be analyzed at a later date.
The lsauditlogdumps command can be used to list the files that are on the disk.
The in-memory portion of the audit log can be transferred to an on-disk file using the svctask dumpauditlog command. This action clears the in-memory portion of the log.
In the following example, the user has specified that they want to list the 15 most recent audit log entries.
An invocation example
svcinfo catauditlog -delim : -first 15
The resulting output
audit_seq_no:timestamp:cluster_user:ssh_label:icat_user:result:res_obj_id :action_cmd 125:060311111800:admin:Joe::0::svctask rmsshkey -key label47 -user admin 126:060311111800:admin:Joe::0::svctask addsshkey -label label48 -file /home/Joe/id_rsa.pub -user admin 127:060311111800:admin:Joe::0::svctask rmsshkey -key label48 -user admin 128:060311111800:admin:Joe::0::svctask addsshkey -label label49 -file /home/Joe/id_rsa.pub -user admin 129:060311111800:admin:Joe::0::svctask rmsshkey -key label49 -user admin 130:060311134617:admin:Joe::0::svctask chmdisk -name ca-0 1 131:060311134617:admin:Joe::0::svctask chmdisk -name ca-1 2 132:060311134617:admin:Joe::0::svctask chmdisk -name ca-2 3 133:060311134617:admin:Joe::0::svctask chmdisk -name cb-0 4 134:060311134617:admin:Joe::0::svctask chmdisk -name cb-1 5 135:060311134617:admin:Joe::0::svctask chmdisk -name cb-2 6 136:060311134617:admin:Joe::0::svctask chmdisk -name cc-0 7 137:060311134617:admin:Joe::0::svctask chmdisk -name cc-1 8 138:060311134617:admin:Joe::0::svctask chmdisk -name cc-2 9 139:060311134632:admin:Joe::0::svctask mkmdiskgrp -name custa-mdisks -ext 512 -mdisk ca-0:ca-1:ca-2